US7539719B2 - Method and apparatus for performing multiplication in finite field GF(2n) - Google Patents

Method and apparatus for performing multiplication in finite field GF(2n) Download PDF

Info

Publication number
US7539719B2
US7539719B2 US10/965,907 US96590704A US7539719B2 US 7539719 B2 US7539719 B2 US 7539719B2 US 96590704 A US96590704 A US 96590704A US 7539719 B2 US7539719 B2 US 7539719B2
Authority
US
United States
Prior art keywords
coefficients
multiplier
storage unit
basis
product
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US10/965,907
Other versions
US20050086278A1 (en
Inventor
Weon-Il Jin
Mi-Suk Huh
Kyung-Hee Lee
Bum-Jin Im
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HUH, MI-SUK, IM, BUM-JIN, JIN, WEON-IL, LEE, KYUNG-HEE
Publication of US20050086278A1 publication Critical patent/US20050086278A1/en
Application granted granted Critical
Publication of US7539719B2 publication Critical patent/US7539719B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/38Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
    • G06F7/48Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
    • G06F7/52Multiplying; Dividing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic

Definitions

  • the present invention relates to a method and apparatus for performing multiplication in a finite field.
  • a finite field GF(2 n ) is a number system containing 2 n elements. Based on the fact that each element of the finite field GF(2 n ) can be represented by n bits, practical applications of the finite field can be accomplished. Practical applications, such as implementation of an error correction code or elliptic curve cryptosystem in hardware, frequently perform calculations in GF(2 n ).
  • An apparatus for encoding/decoding Reed-Solomon codes performs calculation in GF(2 n )
  • an encryption/decryption apparatus of an elliptic curve cryptosystem performs calculation in GF(2 n ) where “n” is a large value.
  • addition is a bitwise exclusive OR (referred to as XOR hereinafter) operation
  • multiplication is a bitwise AND (referred to as AND hereinafter) operation.
  • the finite field GF(2 n ) (n>1) is a number system containing 2 n elements
  • addition and multiplication correspond to arithmetic modulo for an irreducible n th -degree polynomial having coefficients in GF(2).
  • the irreducible polynomial of degree n is referred to as a defining polynomial of the finite field.
  • a root of the defining polynomial is ⁇
  • an element of the finite field has a standard representation given by Equation (2).
  • ⁇ 0 + ⁇ 1 ⁇ + ⁇ 2 ⁇ 2 + . . . + ⁇ n ⁇ 1 ⁇ n ⁇ 1 ( ⁇ 0 , ⁇ 1 , ⁇ 2 , . . . , ⁇ n ⁇ 1 ), ⁇ i ⁇ GF (2)
  • Multiplication of two elements in GF(2 n ) is given by polynomial multiplication of ⁇ and then a modulo operation by the defining polynomial. Addition of two elements in GF(2 n ) is performed by polynomial addition of ⁇ .
  • Multipliers which perform multiplication in the finite field, can include a serial multiplier, a parallel multiplier, and a systolic multiplier.
  • the serial multiplier has low area complexity, and the parallel multiplier performs multiplication using only a gate delay without latency. Accordingly, the parallel multiplier has high area complexity compared to the serial multiplier, but can reduce time complexity considerably.
  • the systolic multiplier is designed to increase throughput, and thus, has relatively high area and time complexity.
  • serial multiplier among the multipliers, there is a demand for a method and apparatus for performing multiplication in a finite field by means of the serial multiplier that can reduce computational time and minimize the increase in area complexity.
  • the present invention provides a method and apparatus for performing multiplication through parallel processing by d bit unit when coefficients of the last d terms in a defining polynomial are assumed to be “0”.
  • A′ a dual representation of A
  • a ′ ( ⁇ 0 ′, ⁇ 1 ′, ⁇ 2 ′, . . . , ⁇ n ⁇ 1 ′)
  • the apparatus comprising: a basis converting unit, which converts the standard representation into a dual representation, or converts the dual representation into the standard representation; a multiplicand storage unit, which stores coefficients of a multiplicand B; a multiplier storage unit, which stores coefficients of A′ obtained by converting basis, of a multiplier A by means of the basis converting unit; a multiplier updating unit, which updates the coefficients of A′ according to a predetermined Equation and outputs the updated coefficients to the multiplier storage unit; and an operation unit, which includes a plurality of multipliers multiplying each m th coefficient from the multiplicand storage unit by each (m+j) th coefficient from the multiplier storage unit where
  • FIG. 1 illustrates a configuration of an apparatus for performing multiplication using a standard basis according to a first exemplary embodiment of the present invention
  • FIG. 2 illustrates a configuration of an apparatus for performing multiplication using a dual basis according to a second exemplary embodiment of the present invention
  • FIGS. 3 and 4 illustrate embodiments of basis converting means for multiplication based on a dual basis.
  • Equation 3 A defining polynomial f(x) of a finite field GF(2 n ) is represented by Equation 3.
  • Two bases i.e., a standard basis and a dual basis, are used for multiplication of two elements of the finite field according to an embodiment of the present invention.
  • a and B of GF(2 n ) may be defined by Equation 8.
  • Equation 9 A product C of A and B is defined by Equation 9.
  • C A ⁇ B mod f ( ⁇ ) (9)
  • represents polynomial multiplication
  • Equation 9 can be expanded as a code expression in Equation 10.
  • C: (0, . . . , 0)
  • C: C ⁇ ( b i ⁇ A )
  • A: ( A>> 1) ⁇ ( ⁇ n ⁇ 1 ⁇ h ( ⁇ ))
  • Multiplication according to Equation 10 will now be explained in detail.
  • An i th coefficient of a multiplicand B is multiplied by each coefficient of a multiplier A, and an exclusive OR (XOR) operation is performed on the results of the multiplication and previous coefficients of the product C, thereby updating the respective coefficients of the product C.
  • XOR exclusive OR
  • a coefficient of a term with the highest power of A is multiplied by each coefficient of terms other than the term with the highest power in the defining polynomial of the finite field.
  • the multiplication results are XORed with once rightly shifted coefficients of A, thereby updating the respective coefficients of the A.
  • Final C is obtained by repeating the above-described process n times.
  • A may be expressed by Equation 12, based on Equation 10.
  • A ( s n ⁇ 2 ,s n ⁇ 1 , ⁇ 0 , . . . , ⁇ n ⁇ 3 ) ⁇ (0,0, s n ⁇ 1 ⁇ f 1 , . . . ,s n ⁇ 1 ⁇ f n ⁇ d ,0, . . . ,0) ⁇ (0, s n ⁇ 2 ⁇ f 1 , . . . ,s n ⁇ 2 ⁇ f n ⁇ d ,0, . . . ,0) (12)
  • A ( s n ⁇ d , . . . ,s n ⁇ 1 , ⁇ 0 , . . . , ⁇ n ⁇ d ⁇ 1 ) ⁇ (0, . . . ,0, s n ⁇ 1 ⁇ f 1 , . . . ,s n ⁇ 1 ⁇ f n ⁇ d ) ⁇ 0 . . . ⁇ (0, s n ⁇ d ⁇ f 1 , . . . ,s n ⁇ d ⁇ f n ⁇ d ,0, . . . ,0) (13)
  • d-bit parallel processing can be done by assumption. Further, if d is small enough, it satisfies most practical cases, that is, parameters of the elliptic curve cryptosystem according to SEC and ANSI X9.62 standards, thereby not violating practicability.
  • Equation 14 the process described with reference to Equation 10 are performed by d bit unit. Consequently, time complexity can be improved d times and the increase in area complexity can be minimized.
  • the apparatus includes a multiplier storage unit 1 , which stores coefficients of the multiplier A, multiplicand storage units 21 and 22 , which store coefficients of the multiplicand B, a product storage unit 3 , which stores coefficients of the product result, a multiplication unit 4 , and a multiplier updating unit 5 .
  • each of the multiplicand storage units 21 and 22 includes d partial storage units.
  • the multiplication unit 4 includes a plurality of multipliers and XOR operators.
  • the multipliers form d sets corresponding to multiplicand coefficients stored in the partial storage units 21 and 22 .
  • An m th multiplier of the respective d sets of multipliers multiplies an m th multiplicand coefficient output from the corresponding partial storage unit by an m th multiplier coefficient output from the multiplier storage unit 1 .
  • a product is obtained by performing multiplication of a multiplier in a dual basis and a multiplicand in a standard basis.
  • Equation 15 Consider two elements A and B in GF(2 n ) represented by Equation 15.
  • A′ a dual representation of A
  • a ′ ( ⁇ 0 ′, ⁇ 1 ′, ⁇ 2 ′, . . . , ⁇ n ⁇ 1 ′)
  • C the product between A and B
  • C ( c 0 , . . . ,c n ⁇ 1 )
  • C can be represented using code expression as shown in Equation 16.
  • the multiplier A is converted from the standard basis into the dual basis.
  • c i ′, i th multiplication result, in the dual basis is obtained by multiplying coefficients of A′ in the dual basis by coefficients of the multiplicand B and performing an XOR operation on the results of the multiplication.
  • a coefficient of the highest power term of A′ is updated to k where k is obtained by multiplying coefficients of terms other than the term with the highest power in the defining polynomial of the finite field by coefficients of A′, performing XOR operations on results of the multiplication, and shifting the coefficients of A′ left once.
  • C′ is converted into the standard basis.
  • a ′ ( ⁇ 1 ′, ⁇ 2 ′, . . . , ⁇ n ⁇ 1 ′,( ⁇ 0 ′ ⁇ ( f 1 ⁇ 1 ′) ⁇ . . . ⁇ ( f n ⁇ d ⁇ n ⁇ d ′)))) (17)
  • A′ may be defined by Equation 18.
  • a ′ ( ⁇ d ′, . . . , ⁇ n ⁇ 1 ′,( ⁇ 0 ′ ⁇ ( f 1 ⁇ 1 ′) ⁇ . . . ⁇ ( f n ⁇ d ⁇ n ⁇ d ′)), . . . ,( ⁇ d ⁇ 1 ⁇ ( f 1 ⁇ d ′) ⁇ . . . ⁇ ( f n ⁇ d ⁇ n ⁇ 1 ′))))) (18)
  • d-bit parallel processing can be performed on A′ by assumption. Further, if the integer d is small enough, it satisfies most practical cases, that is, parameters of the elliptic curve cryptosystem in SEC and ANSI X9.62 standards, thereby not violating practicability.
  • Equation 19 the process described with reference to Equation 16 are performed by d bit unit. Consequently, time complexity can be improved d times and the increase in area complexity can be minimized.
  • the apparatus includes a multiplier storing and updating unit 31 , which stores coefficients of a multiplier and calculates values to be updated, a multiplicand storage unit 32 , and an operation unit 33 .
  • a basis converting unit which converts a i into ⁇ i ′ or c i ′ into c i , is not shown.
  • the multiplier storing and updating unit 31 performs operations according to Equation 20 in Equation 19 to obtain coefficients in the dual basis.
  • A′: A′ ⁇ d
  • the operation unit 33 multiplies m th multiplicand coefficients by (m+j) th multiplier coefficients and performs XOR operations on results of the multiplication.
  • c i ′ becomes (b 0 ⁇ 0 ′) ⁇ (b 1 ⁇ 1 ′) ⁇ (b 2 ⁇ 2 ′) ⁇ (b 3 ⁇ 3 ′) ⁇ (b 4 ⁇ 4 ′), and c i+1 ′becomes (b 0 ⁇ 1 ′) ⁇ (b 1 ⁇ 2 ′) ⁇ (b 2 ⁇ 3 ′) ⁇ (b 3 ⁇ 4 ′) ⁇ (b 4 ⁇ ( ⁇ 0 ′ ⁇ 2 ′)).
  • FIGS. 3 and 4 illustrates embodiments of basis converting means for multiplication based on the dual basis.
  • the basis converting members shown in FIGS. 3 and 4 are the same as disclosed in Korean Patent Application No. 200-0069460 filed by the applicant of the present invention.
  • basis conversion can be realized by simply changing the order of coefficients of the polynomial or performing XOR operations, which are relatively simple.
  • Table 1 shows the performance of the apparatus for performing multiplication using the standard basis.
  • A represents a two input AND gate
  • X represents a two input XOR gate
  • R represents a register
  • T A represents an AND gate delay
  • T X represents an XOR gate delay
  • n represents a dimension
  • d represents the number of bits in parallel processing.
  • Table 2 shows the performance of the apparatus for performing multiplication using the dual basis.
  • A represents a two input AND gate
  • X represents a two input XOR gate
  • R represents a register
  • T A represents an AND gate delay
  • T X represents an XOR gate delay
  • n represents a dimension
  • d represents the number of bits in parallel processing.
  • Table 3 shows the performance of the apparatus for performing multiplication according to an embodiment of the present invention using 0.18 um process technology of Samsung Electronics Co., Ltd. with the performance values described above.
  • the apparatus for performing multiplication based on the dual basis includes the basis converting means.
  • the apparatus since the apparatus according to an embodiment of the present invention performs the serial multiplication allowing the d-bit parallel processing, the apparatus is faster for arithmetic operation than the conventional serial multiplier and can minimize the increase of area complexity. Furthermore, an expected maximum delay of 100 MHz is within one clock cycle. Accordingly, the apparatus can be effectively applied to terminals having a low clock speed.

Abstract

A method of obtaining C=(c0, . . . , cn−1) of a product of two elements A and B of a finite field GF(2n). The method includes permuting the last d coefficients (an−1, . . . , an−d) of a multiplier A with predetermined variables (sn−1, . . . , sn−d); operating C:C=⊕(bi+j●A) for (I+j)th coefficient of a multiplicand B to update coefficients of C, where i and j are integers, and A:=(s, . . . ,α x−2)⊕(0,xn−1−j●f1, . . . ,sx−1−j●fx−d,0, . . . ,0) repeatedly for j=0 to (d−1) to update coefficients of A, where ⊕ represents an XOR operation and ● represents an AND operation; and repeatedly performing the permuting and operating by increasing i from 0 to (n−1) by d.

Description

BACKGROUND OF THE INVENTION
This application claims the priority of Korean Patent Application No. 2003-72140, filed on Oct. 16, 2003, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
FIELD OF THE INVENTION
The present invention relates to a method and apparatus for performing multiplication in a finite field.
DESCRIPTION OF THE RELATED ART
A finite field GF(2n) is a number system containing 2n elements. Based on the fact that each element of the finite field GF(2n) can be represented by n bits, practical applications of the finite field can be accomplished. Practical applications, such as implementation of an error correction code or elliptic curve cryptosystem in hardware, frequently perform calculations in GF(2n). An apparatus for encoding/decoding Reed-Solomon codes performs calculation in GF(2n), and an encryption/decryption apparatus of an elliptic curve cryptosystem performs calculation in GF(2n) where “n” is a large value.
The addition and multiplication rules of GF(2n), which contains only binary numbers 0 and 1, are defined by Equation (1).
0+0=1+1=0
0+1=1+0=1
0=0×1=0
1×1=1  (1)
Here, addition is a bitwise exclusive OR (referred to as XOR hereinafter) operation, and multiplication is a bitwise AND (referred to as AND hereinafter) operation.
Since the finite field GF(2n) (n>1) is a number system containing 2n elements, addition and multiplication correspond to arithmetic modulo for an irreducible nth-degree polynomial having coefficients in GF(2). The irreducible polynomial of degree n is referred to as a defining polynomial of the finite field. When a root of the defining polynomial is α, an element of the finite field has a standard representation given by Equation (2).
α01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1), αi ∈GF(2)  (2)
Multiplication of two elements in GF(2n) is given by polynomial multiplication of α and then a modulo operation by the defining polynomial. Addition of two elements in GF(2n) is performed by polynomial addition of α.
Multipliers, which perform multiplication in the finite field, can include a serial multiplier, a parallel multiplier, and a systolic multiplier. The serial multiplier has low area complexity, and the parallel multiplier performs multiplication using only a gate delay without latency. Accordingly, the parallel multiplier has high area complexity compared to the serial multiplier, but can reduce time complexity considerably. The systolic multiplier is designed to increase throughput, and thus, has relatively high area and time complexity.
For the serial multiplier among the multipliers, there is a demand for a method and apparatus for performing multiplication in a finite field by means of the serial multiplier that can reduce computational time and minimize the increase in area complexity.
SUMMARY OF THE INVENTION
The present invention provides a method and apparatus for performing multiplication through parallel processing by d bit unit when coefficients of the last d terms in a defining polynomial are assumed to be “0”.
According to an aspect of the present invention, there is provided a method of obtaining C=(c0, . . . , cn−1) of a product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in the finite field GF(2n) is defined by
f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2 is an integer, α is a root of the defining polynomial, A and B of the finite field are expressed as
A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),
B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1)
with respect to the root α, and C of the product of A and B can be rewritten as C=A×B mod f(α), the method comprising: permuting the last d coefficients (an−1, . . . , an−d) of a multiplier A with predetermined variables (sn−1, . . . , sn−d); operating C:=C⊕(bi+j●A) for (i+j)th coefficient of a multiplicand B to update coefficients of C, where i and j are integers, and A:=(sn−1−j0, . . . ,αn−2)⊕(0,sn−1−j●f1, . . . ,sn−1−j●fn−d,0, . . . ,0) repeatedly for j=0 to (d−1) to update coefficients of A, where ⊕ represents an XOR operation and ● represents an AND operation; and repeatedly performing the permuting and operating by increasing i from 0 to (n−1) by d.
According to another aspect of the present invention, there is provided an apparatus for obtaining C=(c0, . . . , cn−1), of a product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in GF(2n) is defined by
f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, A and B of the finite field are expressed as
A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),
B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1)
with respect to the root α, and C of the product of A and B can be rewritten as C=A×B mod f(α), the apparatus comprising: a multiplier storage unit, which stores coefficients of a multiplier A; a multiplicand storage unit, which stores coefficients of a multiplicand B; a product storage unit, which stores C of the product of A and B; a multiplication unit, which performs operations of the following Equation
C:=C⊕(b i+j ●A),
repeatedly, for j=0 to (d−1), where i and j are integers, ⊕ represents an XOR operation, and ● represents an AND operation, repeatedly performs the above steps by increasing the variable i from 0 to (n−1) by d to obtain updated coefficients of C, and outputs the updated coefficients of C to the product storage unit; and a multiplier updating unit, which performs operations of the following Equation
A:=(s n−1−j0, . . . ,αn−2)⊕(0,s n−1−j ●f 1 , . . . ,s n−1−j ●f n−d,0, . . . ,0)
to update the coefficients of A, where i and j are integers, ⊕ represents an XOR operation, and ● represents an AND operation, and outputs the updated coefficients of A to the multiplier storage unit.
According to still another aspect of the present invention, there is provided a method of obtaining C=(c0, . . . , cn−1), of the product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in GF(2n) is defined as
f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, A and B of the finite field have a standard representation with respect to
A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),
the root α as shown in
B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1),
A′, a dual representation of A, is expressed as
A′=(α0′,α1′,α2′, . . . ,αn−1′),
and C can be written as C=A×B mod f(α), the method comprising: converting A into A′; operating of the following formulae
s j:=αj′⊕(f 1●αj+1′)⊕ . . . ⊕(f n−d●αn−d+j′)
c i+j′:=(b 0●αj′)⊕ . . . ⊕(b n−1−j●αn−1′)⊕(b n−j ●s 0)⊕ . . . ⊕(b n−1 ●s j−1)
repeatedly for i, j=0 to d−1 to update coefficients of C′, which is a dual representation of C, where i and j are integers, ci+j, is a dual representation of ci+j,; shifting A′ left d times to update A′; updating the last d coefficients of A′ with sj; repeatedly performing the operating, shifting, and updating by increasing the variable i from 0 to (n−1) by d to obtain updated coefficients of C′; and performing basis conversion on the updated C′.
According to yet another aspect of the present invention, there is provided an apparatus for obtaining C=(c0, . . . , cn−1), of a product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in GF(2n) is defined as
f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, the two elements A and B of the finite field have a standard representation with respect to the root α as shown in
A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),
B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1),
A′, a dual representation of A, is expressed as
A′=(α0′,α1′,α2′, . . . ,αn−1′),
and C of A and B is rewritten as C=A×B mod f(α), the apparatus comprising: a basis converting unit, which converts the standard representation into a dual representation, or converts the dual representation into the standard representation; a multiplicand storage unit, which stores coefficients of a multiplicand B; a multiplier storage unit, which stores coefficients of A′ obtained by converting basis, of a multiplier A by means of the basis converting unit; a multiplier updating unit, which updates the coefficients of A′ according to a predetermined Equation and outputs the updated coefficients to the multiplier storage unit; and an operation unit, which includes a plurality of multipliers multiplying each mth coefficient from the multiplicand storage unit by each (m+j)th coefficient from the multiplier storage unit where j varies from 0 to (d−1) and multiply the last j coefficients from the multiplicand storage unit by a part of outputs from the multiplier updating unit, and a plurality of logic operation members fort performing XOR operations on only outputs containing the (m+j)th coefficients from the plurality of multipliers and output the last d ci's, wherein after C′ is obtained by the operation unit, the basis converting unit converting basis of C′ to obtain C.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
FIG. 1 illustrates a configuration of an apparatus for performing multiplication using a standard basis according to a first exemplary embodiment of the present invention;
FIG. 2 illustrates a configuration of an apparatus for performing multiplication using a dual basis according to a second exemplary embodiment of the present invention; and
FIGS. 3 and 4 illustrate embodiments of basis converting means for multiplication based on a dual basis.
 DETAILED DESCRIPTION OF THE INVENTION
The present invention will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown.
A defining polynomial f(x) of a finite field GF(2n) is represented by Equation 3.
f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1}  (3)
If α is a root of the defining polynomial, h(a) is defined by Equation 4.
h(α)=(f 0 ,f 1 ,f 2 , . . . ,f n−1)  (4)
Assume that ⊕ represents a bitwise XOR operation and ● represents a bitwise AND operation. An operation ● between a bit and a vector is defined by Equation 5.
α●(c 0 , . . . , c n−1)=(α●c 0 , . . . , α●c n−1), where α, c i={0,1}  (5)
Shift operations designated by >> and << are defined as follows. (α0, . . . ,αn−1)>>1 means that each coefficient is shifted right once as shown in Equation 6.
For [i=n−1 to 1]
αi:=αi−1
α0:=0   (6)
0, . . . ,αn−1)<<1 means that each coefficient is shifted left once as shown in Equation 7.
For [i=0 to n−2]
αi:=αi+1
αn−1:=0   (7)
Two bases, i.e., a standard basis and a dual basis, are used for multiplication of two elements of the finite field according to an embodiment of the present invention.
First, multiplication using the standard basis will now be explained.
When the standard basis is used, two elements A and B of GF(2n) may be defined by Equation 8.
A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),
B=b 0 +b 1 α+b 3α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1)   (8)
A product C of A and B is defined by Equation 9.
C=A×B mod f(α)   (9)
Here, × represents polynomial multiplication.
Equation 9 can be expanded as a code expression in Equation 10.
C:=(0, . . . , 0)
For [i=0 to n−1]
C:=C⊕(b i ●A)
A:=(A>>1)⊕(αn−1 ●h(α))
Rename coefficients of the element A as α0, . . . ,αn−1   (10)
Multiplication according to Equation 10 will now be explained in detail. An ith coefficient of a multiplicand B is multiplied by each coefficient of a multiplier A, and an exclusive OR (XOR) operation is performed on the results of the multiplication and previous coefficients of the product C, thereby updating the respective coefficients of the product C. Also, a coefficient of a term with the highest power of A is multiplied by each coefficient of terms other than the term with the highest power in the defining polynomial of the finite field. The multiplication results are XORed with once rightly shifted coefficients of A, thereby updating the respective coefficients of the A. Final C is obtained by repeating the above-described process n times.
Changes of the multiplier A within the for loop in the multiplication algorithm of Equation 10 will now be explained. When i=k, it is assumed that
f n−1 = . . . =f x−d+1=0in b k •A, and s n−1:=αn−1 , . . . ,s n−d:=αn−d(d≧2).
When i=k+1, A may be defined by Equation 11, based on Equation 10.
A=(s n−10, . . . ,αn−2)⊕(0,s n−1 ●f n−d,0, . . . ,0)   (11)
When i=k+2, A may be expressed by Equation 12, based on Equation 10.
A=(s n−2 ,s n−10, . . . ,αn−3)⊕(0,0,s n−1 ●f 1 , . . . ,s n−1 ●f n−d,0, . . . ,0)⊕(0,s n−2 ●f 1 , . . . ,s n−2 ●f n−d,0, . . . ,0)   (12)
In the same manner, when i=k+d, A may be defined by Equation 13, based on Equation 10.
A=(s n−d , . . . ,s n−10, . . . ,αn−d−1)⊕(0, . . . ,0,s n−1 ●f 1 , . . . ,s n−1 ●f n−d)⊕0 . . . ⊕(0,s n−d ●f 1 , . . . ,s n−d ●f n−d,0, . . . ,0)   (13)
Accordingly, when i=k+d, d-bit parallel processing can be done by assumption. Further, if d is small enough, it satisfies most practical cases, that is, parameters of the elliptic curve cryptosystem according to SEC and ANSI X9.62 standards, thereby not violating practicability.
Multiplication using the standard basis on which the d-bit parallel processing can be performed can be represented using code expressions. That is, C, the product of A and B, can be represented by Equation 14 when fn−1= . . . =fn−d+1=0.
C:=(0, . . . ,0)
For [i=0 to n−1, i=i+d]
Let s n−1:=αn−1 , . . . ,s n−d:=αn−d
For [j=0 to d−1, j++]
C:=C⊕(b i+j ●A)
A:=(s n−1-j0, . . . ,αn−2)⊕(0,s n−1-j ●f 1 , . . . ,s n−1-j ●f n−d,0, . . . ,0)
Rename the coefficients of A as α0, . . . ,αn−1   (14)
In multiplication according to Equation 14, the process described with reference to Equation 10 are performed by d bit unit. Consequently, time complexity can be improved d times and the increase in area complexity can be minimized.
FIG. 1 illustrates a configuration of an apparatus for performing multiplication using the standard basis according to Equation 14 when n=5, f(x)=x5+x2+1, and d=2. The apparatus includes a multiplier storage unit 1, which stores coefficients of the multiplier A, multiplicand storage units 21 and 22, which store coefficients of the multiplicand B, a product storage unit 3, which stores coefficients of the product result, a multiplication unit 4, and a multiplier updating unit 5.
Here, each of the multiplicand storage units 21 and 22 includes d partial storage units. For a kth coefficient of the multiplicand B, when k is modulo operated by d, coefficients corresponding to the same modulo operation results are sorted out and stored into each partial storage unit. Since the shown multiplicand storage units 21 and 22 correspond to a case of d=2, each of them includes a first partial storage unit 21, which stores only coefficients of odd terms, and a second partial storage unit 22, which stores only coefficients of even terms.
The multiplication unit 4 includes a plurality of multipliers and XOR operators. The multipliers form d sets corresponding to multiplicand coefficients stored in the partial storage units 21 and 22. An mth multiplier of the respective d sets of multipliers multiplies an mth multiplicand coefficient output from the corresponding partial storage unit by an mth multiplier coefficient output from the multiplier storage unit 1.
Results of the multiplication are XORed by an mth XOR operator and then added to pertinent coefficients in the product storage unit 3. That is, the multiplication and XOR operation are performed by d bits according to C:=C⊕(bi+j●A) of Equation 14 and results of the multiplication and XOR operation are stored in the product storage unit 3. The multiplier updating unit 5 updates multiplier coefficients according to
A:=(s n−1−j0, . . . ,αn−2)⊕(0,s n−1−j ●f 1 , . . . ,s n−1−j ●f n−d,0, . . . ,0)
of Equation 14 to be stored in the multiplier storage unit 1, respectively.
After 1 cycle, A becomes A=(α34012)⊕(0,0,0,α4,0)⊕(0,0,α3,0,0)=(α340⊕α31⊕α42) according to Equation 14.
Multiplication using a dual basis according to an embodiment of the present invention will now be explained.
In the multiplication using the dual basis, a product is obtained by performing multiplication of a multiplier in a dual basis and a multiplicand in a standard basis.
Consider two elements A and B in GF(2n) represented by Equation 15.
A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),
B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1)   (15)
Assuming that A′, a dual representation of A, is expressed as
A′=(α0′,α1′,α2′, . . . ,αn−1′),
C, the product between A and B, is expressed as
C=(c 0 , . . . ,c n−1),
and C′, a dual representation of C, is expressed as
C′=(c 0 ′, . . . ,c n−1′),
C can be represented using code expression as shown in Equation 16.
A′←A (basis conversion)
For [i=0 to n−1]
c i′:=(b 0●α0′)⊕ . . . ⊕(b n−1●αn−1′)
t:=(f 0●α0′)⊕ . . . ⊕(f n−1●αn−1′)
A′:=A′<<1
Rename coefficients of A as α0′, . . . ,αn−1
αn−1 ′:=k
C←C′ (basis conversion)   (16)
Multiplication according to Equation 16 will now be explained in detail. First, the multiplier A is converted from the standard basis into the dual basis. ci′, ith multiplication result, in the dual basis is obtained by multiplying coefficients of A′ in the dual basis by coefficients of the multiplicand B and performing an XOR operation on the results of the multiplication. A coefficient of the highest power term of A′ is updated to k where k is obtained by multiplying coefficients of terms other than the term with the highest power in the defining polynomial of the finite field by coefficients of A′, performing XOR operations on results of the multiplication, and shifting the coefficients of A′ left once. After these steps are repeated n times, C′ is converted into the standard basis.
Changes of A′ within the for loop of Equation 16 will now be explained. If A′ is expressed as
A′=(α0′,α1′,α2′, . . . ,αn−1′)
when i=k, A′ may be represented by Equation 17 with fn−1= . . . =fn−d+1=0 when i=k+1.
A′=(α1′,α2′, . . . ,αn−1′,(α0′⊕(f 1●α1′)⊕ . . . ⊕(f n−d●αn−d′)))   (17)
When i=k+d, A′ may be defined by Equation 18.
A′=(αd′, . . . ,αn−1′,(α0′⊕(f 1●α1′)⊕ . . . ⊕(f n−d●αn−d′)), . . . ,(αd−1⊕(f 1●αd′)⊕ . . . ⊕(f n−d●αn−1′)))   (18)
When i=k+d, d-bit parallel processing can be performed on A′ by assumption. Further, if the integer d is small enough, it satisfies most practical cases, that is, parameters of the elliptic curve cryptosystem in SEC and ANSI X9.62 standards, thereby not violating practicability.
Multiplication using the dual basis on which the d-bit parallel processing can be performed can be represented using code expression. That is, C, the product of A and B, may be expressed by Equation 19 when fn−1=fn−d+1=0.
A′←A (basis conversion)
For [i=0 to n−1, i=i+d]
For [j=0 to d−1, j++]
s j:=αj′⊕(f 1●αj+1′)⊕ . . . ⊕(f n−d●αn−d+j′)
c i+j′:=(b 0●αj′)⊕ . . . ⊕(b n−1-j●αn−1′)⊕(b n−j ●s 0)⊕ . . . ⊕(b n−1 ●s j−1)
A′:=A′<<d
Rename the coefficients of A′ as α0′, . . . ,αn−1
For [j=0 to d−1, j++]
αn−d+j′=sj
C←C′ (basis conversion)   (19)
In multiplication according to Equation 19, the process described with reference to Equation 16 are performed by d bit unit. Consequently, time complexity can be improved d times and the increase in area complexity can be minimized.
FIG. 2 illustrates a configuration of an apparatus for performing multiplication using a dual basis when n=5, f(x)=x5+x2+1, and d=2. The apparatus includes a multiplier storing and updating unit 31, which stores coefficients of a multiplier and calculates values to be updated, a multiplicand storage unit 32, and an operation unit 33. Here, a basis converting unit, which converts ai into αi′ or ci′ into ci, is not shown.
The multiplier storing and updating unit 31 performs operations according to Equation 20 in Equation 19 to obtain coefficients in the dual basis.
A′:=A′<<d
Rename the coefficients of A′ as α0′, . . . ,αn−1
For [j=0 to d−1, j++]
αn−d+j′:=sj   (20)
The operation unit 33 performs an operation corresponding to ci+j′:=(b0●αj′)⊕ . . . ⊕(bn−1-j●αn−1′)⊕(bn−j●s0)⊕ . . . ⊕(bn−1●sj−1) in Equation 19, wherein a′=(a′0, . . . ,a′n), multiplier coefficients, output from the multiplier storing and updating unit 31 and b=(b0, . . . ,bn), multiplicand coefficients, output from the multiplicand storage unit 32. That is, the operation unit 33 multiplies mth multiplicand coefficients by (m+j)th multiplier coefficients and performs XOR operations on results of the multiplication. The final j multiplicand coefficients are multiplied by coefficients s0, . . . , sj−1, which are obtained by sj:=αj′⊕(f1●αj+1′)⊕ . . . ⊕(fn−d●αn−d+j′), and the coefficients s0, . . . , sj−1 are determined by a′, which is updated using Equation 20.
Accordingly, after 1 cycle, A′ becomes A′=(α2′,α3′,α4′,α0′⊕α2′,α1′⊕α3′). Further, ci′ becomes (b0●α0′)⊕(b1●α1′)⊕(b2●α2′)⊕(b3●α3′)⊕(b4●α4′), and ci+1′becomes (b0●α1′)⊕(b1●α2′)⊕(b2●α3′)⊕(b3●α4′)⊕(b4●(α0′⊕α2′)).
The reference numerals t0-t4 and D0-D4 have been used in FIG. 2 so that the operations of the operation unit 33 are more easily understood.
FIGS. 3 and 4 illustrates embodiments of basis converting means for multiplication based on the dual basis. The basis converting members shown in FIGS. 3 and 4 are the same as disclosed in Korean Patent Application No. 200-0069460 filed by the applicant of the present invention. Referring to FIGS. 3 and 4, basis conversion can be realized by simply changing the order of coefficients of the polynomial or performing XOR operations, which are relatively simple.
Table 1 shows the performance of the apparatus for performing multiplication using the standard basis.
TABLE 1
Defining Latency
polynomial Area complexity Maximum delay (cycles)
Trinomial A: dn, X: dn + d, R: 2n + d TA + (d + 1)TX n/d
Pentanomial A: dn, X: dn + 3d, R: 2n + d TA + (d + 3)TX n/d
Here, A represents a two input AND gate, X represents a two input XOR gate, R represents a register, TA represents an AND gate delay, TX represents an XOR gate delay, n represents a dimension, and d represents the number of bits in parallel processing.
Table 2 shows the performance of the apparatus for performing multiplication using the dual basis.
TABLE 2
Defining Latency
polynomial Area complexity Maximum delay (cycles)
Trinomial A: dn, X: dn, R: 2n TA + (d + 1)TX n/d
Pentanomial A: dn, X: dn + 2d, R: 2n TA + (log2n)TX n/d
Performance values of the basis converting means are excluded from Table 2.
Here, A represents a two input AND gate, X represents a two input XOR gate, R represents a register, TA represents an AND gate delay, TX represents an XOR gate delay, n represents a dimension, and d represents the number of bits in parallel processing.
Table 3 shows the performance of the apparatus for performing multiplication according to an embodiment of the present invention using 0.18 um process technology of Samsung Electronics Co., Ltd. with the performance values described above.
TABLE 3
Area complexity Maximum delay
Basis (# of NANDs) (nano-sec.) Latency (Cycles)
Standard d = 8 13129.7 3.707 35
Dual d = 8 13102.3 2.793 35
Standard d = 4 8169.5 2.427 71
Dual d = 4 8176.8 2.793 71
Standard d = 2 5689.3 1.147 142
Dual d = 2 5714.0 2.793 142
Here, the apparatus for performing multiplication based on the dual basis includes the basis converting means.
According to Table 3, when computational speed doubled, area complexity increased approximately 1.43 to 1.61 times. Therefore, the area complexity does not rise rapidly.
As described above, since the apparatus according to an embodiment of the present invention performs the serial multiplication allowing the d-bit parallel processing, the apparatus is faster for arithmetic operation than the conventional serial multiplier and can minimize the increase of area complexity. Furthermore, an expected maximum delay of 100 MHz is within one clock cycle. Accordingly, the apparatus can be effectively applied to terminals having a low clock speed.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the following claims.

Claims (8)

1. A method of performing multiplication through d-bit parallel processing using a serial multiplier by obtaining C=(c0, . . . , cn−1) of a product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in the finite field GF(2n) is defined by

f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1} ,
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, A and B of the finite field are expressed as

A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),

B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1)
with respect to the root α, and C of the product of A and B can be rewritten as C=A×B mod f(α), the method comprising:
permuting the last d coefficients (an−1, . . . , an−d) of a multiplier, which is A, with predetermined variables (sn−1, . . . , sn−d);
operating C:=C⊕(bi+j●A) for (i+j)th coefficient of a multiplicand, which is B, to update coefficients of C, where i and j are integers, and

A:=(s n−1−j0, . . . ,αn−2)⊕(0,s n−1−j ●f 1 , . . . ,s n−1−j ●f n−d,0, . . . ,0)
repeatedly for j=0 to (d−1) to update coefficients of A, where ⊕ represents an XOR operation and ● represents an AND operation; and
repeatedly performing the permuting and operating by increasing i from 0 to (n−1) by d to obtain a final product C.
2. An apparatus for performing multiplication through d-bit parallel processing using a serial multiplier by obtaining C=(c0, . . . , cn−1), of a product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in GF(2n) is defined by

f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0), f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, the two elements A and B of the finite field are expressed as

A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),

B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1)
with respect to the root α, and C of the product of A and B can be rewritten as C=A×B mod f(α), the apparatus comprising:
a multiplier storage unit, which stores coefficients of a multiplier, which is A;
a multiplicand storage unit, which stores coefficients of a multiplicand, which is B;
a product storage unit, which stores C of the product of A and B;
a multiplication unit, which performs operations of the Equation C:=C⊕(bi+j●A), repeatedly, for j=0 to (d−1), where i and j are integers, ⊕ represents an XOR operation, and ● represents an AND operation, repeatedly performs the above steps by increasing the variable i from 0 to (n−1) by d to obtain updated coefficients of C, and outputs the updated coefficients of C to the product storage unit; and
a multiplier updating unit, which performs operations of the Equation A:=(sn−1−j0, . . . ,αn−2)⊕(0,sn−1−j●f1, . . . ,sn−1−j●fn−d,0, . . . ,0) to update the coefficients of A, where i and j are integers, ⊕ represents an XOR operation, and ● represents an AND operation, and outputs the updated coefficients of A to the multiplier storage unit.
3. The apparatus of claim 2, wherein the multiplicand storage unit includes d partial storage unit, and each partial storage unit stores coefficients having the same modulo operation results when for a kth coefficient of the multiplicand, the value k is modulo operated by d.
4. The apparatus of claim 3, wherein the multiplication unit includes:
d sets of multipliers, which correspond to the partial storage unit and respectively multiply multiplicand coefficients output from the partial storage unit by multiplier coefficients output from the multiplier storage unit; and
a plurality of logic operation members, which perform a first XOR operation on outputs from an mth multiplier of each set of the multipliers, perform a second XOR operation on a result of the first XOR operation with a value stored in an mth location of the product storage unit, and output the result of the second XOR operation to the product storage unit.
5. A method of performing multiplication in a serial multiplier using a dual basis, where a product is obtained by performing multiplication with a multiplier in a dual basis and a multiplicand in a standard basis by obtaining C=(c0, . . . , cn−1), of the product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in GF(2n) is defined as

f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0),f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, A and B of the finite field have a standard representation with respect to the root α as shown in

A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1′),

B=b 0 +b 1 α+b 2α2 + . . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1),
A′, a dual representation of A, is expressed as A′=(α0′,α1′,α2′, . . . ,αn−1′) and C can be rewritten as C=A×B mod f(α), the method comprising:
converting A into A′;
operating of the following formulae

s j:=αj′⊕(f 1●αj+1′)⊕ . . . ⊕(f n−d●αn−d+j′)
ci+j′:=(b0●αj′)⊕ . . . ⊕(bn−1−j●αn−1′)⊕(bn−j●s0)⊕ . . . ⊕(bn−1●sj−1) repeatedly for i, j=0 to d−1 to update coefficients of C′, which is a dual representation of C, where i and j are integers, ci+j′ is a dual representation of ci+j′;
shifting A′ left d times to update A′;
updating the last d coefficients of A′ with sj;
repeatedly performing the operating, shifting, and updating by increasing the variable i from 0 to (n−1) by d to obtain updated coefficients of C′; and
performing basis conversion on the updated C′ to obtain a final product C.
6. An apparatus for performing multiplication using a dual basis, where a product is obtained by performing multiplications of a multiplier in a dual basis and a multiplicand in a standard basis obtaining C=(c0, . . . , cn−1), of a product of two elements A and B of a finite field GF(2n) when a defining polynomial f(x) of degree n in GF(2n) is defined as

f(x)=x n +h(x)=x n+(f n−1 x n−1 + . . . +f 1 x+f 0),f i∈{0,1},
where fn−1= . . . =fn−d+1=0, d≧2, d is an integer, α is a root of the defining polynomial, A and B of the finite field have a standard representation with respect to the root α as shown in

A=α 01α+α2α2+ . . . +αn−1αn−1=(α012, . . . ,αn−1),

B=b 0+b1α+b2α2 +. . . +b n−1αn−1=(b 0 ,b 1 ,b 2 , . . . ,b n−1),
A′, a dual representation of A, is expressed as A′=(α0′,α1′,α2′, . . . ,αn−1′), and C of A and B is rewritten as C = A×B mod f(α), the apparatus comprising:
a basis converting unit, which converts the standard representation into a dual representation, or converts the dual representation into the standard representation;
a multiplicand storage unit, which stores coefficients of a multiplicand B;
a multiplier storage unit, which stores coefficients of A′ obtained by converting basis of a multiplier A by means of the basis converting unit;
a multiplier updating unit, which updates the coefficients of A′ according to a predetermined Equation and outputs the updated coefficients to the multiplier storage unit; and
an operation unit, which includes a plurality of multipliers multiplying each mth coefficient from the multiplicand storage unit by each (m+j)th coefficient from the multiplier storage unit where j varies from 0 to (d−1) and multiply the last j coefficients from the multiplicand storage unit by a part of outputs from the multiplier updating unit, and a plurality of logic operation members fort performing XOR operations on only outputs containing the (m+j)th coefficients from the plurality of multipliers and output the last d ci's,
wherein after C′ is obtained by the operation unit module, and the basis converting unit converts basis of C′ to obtain C.
7. The apparatus of claim 6, wherein the operation unit performs operations of the Equation

s j:=αj′⊕(f 1●αj+1′)⊕ . . . ⊕(f n−d●αn−d+j′)

c i+j′:=(b 0●αj′)⊕ . . . ⊕(b n−1−j●αn−1′)⊕(b n−j ●s 0)⊕ . . . ⊕(b n−1 ●s j−1)
repeatedly for j=0 to (d−1), where i and j are integers, ci+j′ is a dual representation of ci+j, using the plurality of multipliers and logic operation members, outputs d coefficients of C′, which is a dual representation of C, and obtains ci+j′, which is a dual representation of an (i+j)th coefficient of C, by increasing the variable i from 0 to (n−1) by d.
8. The apparatus of claim 6, wherein the multiplier updating unit:
shifts A′ stored in the multiplier storage unit, left d times to update A′; and performs operations of the Equation

s j:=αj′⊕(f 1●αj+1′)⊕ . . . ⊕(f n−d●αn−d+j′)
αn−d+j′:=sj repeatedly for j=0 to (d−1) to update the last d coefficients of A′.
US10/965,907 2003-10-16 2004-10-18 Method and apparatus for performing multiplication in finite field GF(2n) Expired - Fee Related US7539719B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020030072140A KR100552694B1 (en) 2003-10-16 2003-10-16 Method and apparatus for multiplication operation in finite field
KR2003-72140 2003-10-16

Publications (2)

Publication Number Publication Date
US20050086278A1 US20050086278A1 (en) 2005-04-21
US7539719B2 true US7539719B2 (en) 2009-05-26

Family

ID=34510895

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/965,907 Expired - Fee Related US7539719B2 (en) 2003-10-16 2004-10-18 Method and apparatus for performing multiplication in finite field GF(2n)

Country Status (2)

Country Link
US (1) US7539719B2 (en)
KR (1) KR100552694B1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7765252B1 (en) 2004-03-19 2010-07-27 Microsoft Corporation Five-term karatsuba-variant calculator
US7363336B1 (en) 2004-03-19 2008-04-22 Microsoft Corporation Six-term Karatsuba-variant calculator
CN103268217A (en) * 2013-04-19 2013-08-28 荣成市鼎通电子信息科技有限公司 Quasi-cyclic matrix serial multiplier based on rotate left
KR101418686B1 (en) * 2013-08-02 2014-07-10 공주대학교 산학협력단 Subquadratic Space Complexity Parallel Multiplier and Method using type 4 Gaussian normal basis
KR101533929B1 (en) * 2014-06-27 2015-07-09 공주대학교 산학협력단 Subquadratic Space Complexity Parallel Multiplier for using shifted polynomial basis, method thereof, and recording medium using this
KR102110162B1 (en) * 2017-12-28 2020-05-14 공주대학교 산학협력단 Parallel finite field multiplication method based on a polynomial multiplication method
CN110457008B (en) * 2018-05-08 2021-08-03 北京小米松果电子有限公司 m sequence generation method, device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5227992A (en) * 1991-03-20 1993-07-13 Samsung Electronics Co., Ltd. Operational method and apparatus over GF(2m) using a subfield GF(2.sup.
US5272661A (en) * 1992-12-15 1993-12-21 Comstream Corporation Finite field parallel multiplier
US6049815A (en) * 1996-12-30 2000-04-11 Certicom Corp. Method and apparatus for finite field multiplication
KR20000026250A (en) 1998-10-19 2000-05-15 Samsung Electronics Co Ltd Method and apparatus for operating finite field
US6141786A (en) * 1998-06-04 2000-10-31 Intenational Business Machines Corporation Method and apparatus for performing arithmetic operations on Galois fields and their extensions
US6389442B1 (en) * 1997-12-30 2002-05-14 Rsa Security Inc. Efficient finite field multiplication in normal basis
KR20020094440A (en) 2001-06-11 2002-12-18 주식회사 시큐리티테크놀로지스 Finite field multiplier apparatus

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5227992A (en) * 1991-03-20 1993-07-13 Samsung Electronics Co., Ltd. Operational method and apparatus over GF(2m) using a subfield GF(2.sup.
US5272661A (en) * 1992-12-15 1993-12-21 Comstream Corporation Finite field parallel multiplier
US6049815A (en) * 1996-12-30 2000-04-11 Certicom Corp. Method and apparatus for finite field multiplication
US6389442B1 (en) * 1997-12-30 2002-05-14 Rsa Security Inc. Efficient finite field multiplication in normal basis
US6141786A (en) * 1998-06-04 2000-10-31 Intenational Business Machines Corporation Method and apparatus for performing arithmetic operations on Galois fields and their extensions
KR20000026250A (en) 1998-10-19 2000-05-15 Samsung Electronics Co Ltd Method and apparatus for operating finite field
KR20020094440A (en) 2001-06-11 2002-12-18 주식회사 시큐리티테크놀로지스 Finite field multiplier apparatus

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Pincin, A; A new algorithm for multiplication in finite fields; Computers, IEEE Transactions on; vol. 38; Jul. 1989; pp. 1045-1049. *
Rsie-Chia Chang; Reed-Solomon Decoder for Dvd Application; Communications, 1998. ICC 98. Conference Record. 1998 IEEE International Conference on; vol. ; pp. 957-960. *
Wei Baodian et al; Property of finite fields and its cryptography application; Electronic Letters; vol. 39, Issue 8; Apr. 17, 2003; pp. 655-656. *

Also Published As

Publication number Publication date
US20050086278A1 (en) 2005-04-21
KR20050036451A (en) 2005-04-20
KR100552694B1 (en) 2006-02-20

Similar Documents

Publication Publication Date Title
Okada et al. Implementation of Elliptic Curve Cryptographic Coprocessor over GF (2 m) on an FPGA
US7970809B2 (en) Mixed radix conversion with a priori defined statistical artifacts
CN104391675B (en) Apparatus and processor for improving processing efficiency
US6466959B2 (en) Apparatus and method for efficient arithmetic in finite fields through alternative representation
US6343305B1 (en) Methods and apparatus for multiplication in a galois field GF (2m), encoders and decoders using same
JPWO2004001701A1 (en) Sign arithmetic unit
KR20050061544A (en) Cryptography using finite fields of odd characteristic on binary hardware
US9928037B2 (en) Modulo calculation using polynomials
Ghosh et al. A speed area optimized embedded co-processor for McEliece cryptosystem
US6957243B2 (en) Block-serial finite field multipliers
US7539719B2 (en) Method and apparatus for performing multiplication in finite field GF(2n)
KR100322739B1 (en) Finite Field Computation Method and Its Apparatus
JP2004258141A (en) Arithmetic unit for multiple length arithmetic of montgomery multiplication residues
Bhaskar et al. Efficient Galois field arithmetic on SIMD architectures
WO1999004332A1 (en) Composite field multiplicative inverse calculation for elliptic curve cryptography
EP1455270B1 (en) Method and apparatus for basis conversion in finite field and a multiplier
CN115270155A (en) Method for obtaining maximum common divisor of big number expansion and hardware architecture
US6138134A (en) Computational method and apparatus for finite field multiplication
KR100954843B1 (en) Method and Apparatus of elliptic curve cryptographic operation based on block indexing on sensor mote and Recording medium using by the same
Chen et al. A serial-in-serial-out hardware architecture for systematic encoding of Hermitian codes via Gro/spl uml/bner bases
US7543012B2 (en) Method and apparatus to perform squaring operation in finite field
Detchart et al. Polynomial ring transforms for efficient XOR-based erasure coding
KR970003979B1 (en) Multiplexer
US7167886B2 (en) Method for constructing logic circuits of small depth and complexity for operation of inversion in finite fields of characteristic 2
KR20080056036A (en) Architecture of fast-serial finite field multiplier

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JIN, WEON-IL;HUH, MI-SUK;LEE, KYUNG-HEE;AND OTHERS;REEL/FRAME:015899/0470

Effective date: 20041015

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20130526